Geopolitical and Cybersecurity Risk Weekly Brief 15 April 2020

15 april 2020


COVID-19 Cybersecurity Update

COVID-19 continues to dominate the cybersecurity landscape with several national security bodies releasing warnings about scams and malicious operations using the pandemic as a lure. US-CERT, CISA, and the UK NCSC issued a joint security advisory outlining an increase in COVID-19-related themes in SMiShing, phishing for credential theft, and malware delivery. The FBI reported an uptick in coronavirus-themed business email compromise (BEC) attacks against US municipalities purchasing personal protective equipment or other medical supplies. These attacks have also targeted financial institutions and banks. And INTERPOL warned of a rise in attempted cyberattacks against hospitals, particularly in the number of ransomware attacks attempting to lock hospitals out of critical systems, despite the ongoing coronavirus pandemic.

UK domain name registrar Nominet has taken down over 600 coronavirus scam sites. These websites have been selling fake vaccines, protective equipment and fraudulent remedies related to coronavirus. A cold call and phishing scam campaign has been targeting Australian users who have been financially impacted by the pandemic. The campaign targets users’ superannuation (pension) funds, which can be accessed from mid-April 2020. 80 such attacks have been reported so far. While in Brazil, coronavirus-themed phishing attacks have more than doubled in the last month. Most of these attacks have been WhatsApp based, and aim to steal users’ personal data. Attacks have also attempted to get victims to download malicious applications to pay through affiliation programs.

Threat actors operating the Cerberus Malware-as-a-Service (MaaS) platform have created a fake app which impersonates the Italian National Social Security Institute (INPS). When victims attempt to claim their EUR600 compensation from the government, they are informed they must install an app which ends in infection with Cerberus.

Issues were also discovered in other COVID-19-related apps. Vulnerabilities were detected in the official coronavirus applications of Colombia and Italy. The official Colombian COVID-19 app is government-sanctioned and has over 100,000 users; it was exposing users’ health and personal data in plaintext. The Italian app was released in Beta testing mode and contains a recompiled backdoor which was actively infecting victims. Backdoors in apps can be exploited by threat actors to install additional malware onto a victim device.

There has been an increase in cyberattacks targeting NASA's systems and personnel working from home during the coronavirus pandemic. Phishing attacks have doubled, and there has been an increase in malware attacks which have been successfully blocked by the organisation. Employees' mobile phones have also been targeted in an attempt to steal sensitive information. Lures have included requests for donations, tax refunds, safety measures, fake vaccines, updates on virus transmissions, and various disinformation.

The DarkHotel threat group has launched a campaign targeting Chinese government agencies and their employees. The attacks began in March and are thought to be using coronavirus-themed lures. More than 200 VPN servers have been attacked in this campaign; 174 of these were located on government agency networks in Beijing and Shanghai. Chinese diplomatic missions operating abroad have also been targeted, in countries such as Italy, the UK, Pakistan, Thailand, Israel, Vietnam, Turkey, Malaysia, Iran, Saudi Arabia, and India.

Interestingly, threat actors have been seen arguing on forums about whether it was ethical or not to exploit fears surrounding coronavirus. Some claimed that it was "shameful" because so many people have died; they asked others to stop exploiting the pandemic for personal and financial gain. Despite this, it is likely that the exploitation of the virus will continue.

Researchers have uncovered further samples of a malicious app that claims to show the number of people infected near the device on which it is installed. The app is called ‘CoronaFinder.apk’ or ‘MediaPlayer.apk’ but contains the Ginp Android banking Trojan.

Android malware expert, LukasStefanko, has uncovered a new Malware-as-a-Service (MaaS) platform for an Android Trojan, called SMSThief. The malware spreads via SMS and is currently still under development. A link within an SMS downloads a file called "chrome-update.apk". The Trojan that is executed subsequently collects and exfiltrates victims' SMS messages and contact lists. Another Android SMS worm - detected by antivirus engines as GoodNews - is infecting large numbers of mobile devices in India. And a malicious Android app is offering coronavirus safety masks: when the app is downloaded, an SMS Trojan is installed, which spreads to others on the victim’s contact list hoping to be installed on their devices, too.

In the UK, in recent days, there have been a number of reported fires at mobile phone masts in the Midlands and the North. Multiple videos ostensibly showing a 5G mast on fire were posted on Facebook on 2 April before being removed a day later. The arson cases come amid the spread of conspiracy theories linking 5G technology to the COVID-19 pandemic. These are usually disseminated via social media to expanding audiences. The risk of violence and vandalism, however, is compounded by growing public suspicion and fear. These recent incidents and the related media coverage will likely inspire more acts of vandalism targeting 5G infrastructure.

Online messaging platform WhatsApp has tightened the forwarding limits on messages in a bid to limit the spread of misinformation relating to the coronavirus pandemic. The current limits mean that users will only be able to forward one message per time instead of simultaneously sending a message in five conversations. The new restrictions will clearly limit the flow of information; Facebook said that a similar move introduced previously led to a 25 per cent drop in message forwarding. Combating the spread of misinformation has emerged as a clear priority for governments and international organisations, signifying that pressure on social media platforms to take bolder action will persist.

ZOOM, SKYPE, AND VIDEO CONFERENCING RISKS

Thousands of recorded Zoom meetings have been found exposed on the internet without any password protection. These include private business discussions, meetings, therapy sessions, conversations between friends, and even sexual content. Most of the recordings appear to have been made public by mistake. 15,000 exposed videos were discovered by a security researcher following a scan of unsecured cloud storage. Searching the Zoom file name on YouTube, Google, and Vimeo also reveals thousands of these videos.

Google has banned the use of Zoom by its employees. The company is citing security concerns with the app that have arisen since Zoom became one of the most popular services for free video chatting during the COVID-19 pandemic. Google employees will be expected to use the enterprise Zoom competitor, Meet, which is part of the G Suite.

On 8 April, Taiwan’s department of cyber security (DCS) also banned the use of Zoom after it was revealed that the US-based company had mistakenly routed communications through China – allegedly since February. The DCS has suggested government agencies use local providers, including CyberLink’s U Meeting, or other international technology companies providing similar services, such as Google’s Hangouts Meet and Microsoft Teams. Given the ongoing dispute over sovereignty claims between China and Taiwan, the channelling of government communications, no matter how apparently benign or accidental, has raised the alarm in Taipei.

Trend Micro uncovered a new campaign targeting Zoom users with cryptocurrency mining Trojans. The malware reportedly comes from fraudulent websites that masquerade as Zoom, although the researchers were unable to find any still online. Users still receive a legitimate version of the Zoom installer, but the Trojan works in the background, hijacking the device’s resources, and sends the mined virtual currency to the attackers.

Skype is one of the many video calling applications that is also being used as a lure in malware campaigns. Most of the applications were illegitimate copies of the real service. Skype is not the only application being targeted: of 1,300 suspicious files, not including Skype, 42 per cent were disguised as Zoom, 22 per cent as WebEx, 13 per cent as GoToMeeting, 11 per cent as Flock, and 11 per cent as Slack.

A phishing campaign was found targeting WebEx credentials. Emails purporting to be a Cisco "critical update" contained a link to a fake update page. While this page appeared legitimate, the official Cisco SSL certificate is verified by HydrantID and the attacker’s certificate was through Sectigo Limited. This page has since been removed. 

 

Attacks and cybersecurity news

A new exploit has been developed for a remote code execution vulnerability in the MSHTML engine, tracked as CVE-2019-0541. Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, and Office 365 ProPlus are all affected. It is currently being deployed in a phishing attack against the Polish government. This attack appears to be state-sponsored.

Threat actors LulzSecITA claim to have stopped their attacks due to the coronavirus pandemic. Despite this, the group has still announced a list of Italian universities which it compromised before the outbreak of the virus. LulzSecITA claims to be committed to improving the security to Italian universities and educational institutions. The data will be released after the pandemic.

UAE’s Telecommunications Regulatory Authority (TRA) foiled 34,930 cyberattacks targeting the country’s government agencies in March. This constitutes an increase of 11 per cent on February’s numbers. The majority of these attacks (59 per cent) were malware-based, and a third (34 per cent) were attempts to exploit systems. TRA’s statement is part of a wider global trend. Governments and businesses around the world are witnessing a significant increase in cyberattacks that capitalise on the fear sparked by the ongoing COVID-19 pandemic.

In the latest update to the ongoing legal battle between Facebook and NSO Group, the latter's CEO, Shalev Hulio, has claimed that Facebook attempted to acquire the notorious Pegasus spyware to better monitor their iOS users' behaviour. Pegasus made international headlines after it was said to have been installed on the mobile phone of murdered Saudi journalist Jamal Khashoggi. It also made headlines in early 2020 when it was used against a New York Times journalist reporting on Saudi Arabia; and Amazon CEO, Jeff Bezos’, phone may have been infected with the spyware after a meeting with the Saudi crown prince, though this has not been confirmed.

In February, Mike O'Connor, the owner of the 'corp.com' for 26 years, revealed that he had decided to sell the domain. This is a sensitive domain: whoever owns it has access to a stream of passwords, emails, and other internal data belonging to hundreds of thousands of misconfigured Windows PCs at major companies worldwide. Microsoft has now agreed to buy the 'corp.com' domain to keep it out of the hands of threat actors.

The Sodinokibi ransomware attack on Travelex at the end of 2019 caused the company to take its servers offline, seriously impacting the global transfer of funds between countries and hampering many banks’ ability to do business. According to The Wall Street Journal, which cited "a person familiar with the transaction", Travelex paid a USD2.3m ransom to the Sodinokibi group. Travelex is still refusing to publicly confirm or deny any details about payment. 

 

Data breaches, fraud, and vulnerabilities

Data Breaches

Security researcher Bob Diachenko reported that the MyRenault application was exposing the data of its Indian customers. The data was leaked on an Amazon S3 bucket and exposed information such as names, email addresses, phone number, residential addresses, login details, and more. There was no response to the researcher's attempts at responsible disclosure.

An Italian email service provider, Email.it, has been attacked. Threat actors NNHackingGroup stole the data of more than 600,000 Email.it users and are now selling it on the Darknet for between 0.5 and 3 BTC (USD3,500 and USD22,000). NNHackingGroup claims to have infiltrated the company systems over two years ago and remained active on the system for an extended period.

A database containing over 2,300 compromised Zoom credentials has been leaked on a darknet forum. Some of the accounts are corporate, including some for banks, consultancy companies, educational facilities, healthcare providers, and software vendors. Some are accompanied by meeting IDs, names, and host keys. Prior to this, security researchers had found a collection of 352 compromised Zoom accounts leaked on another darknet forum.

Raid Forums member togoodforthisshit is selling multiple databases containing PII and financial information belonging to several Chinese banks, mobile providers, airlines, insurance providers, and various businesses. The leaked data comprises approximately 80 million records that include full names, phone numbers, residential addresses, internet activity, financial information and dates of birth. Bank of Shanghai and China Industrial Bank are two of the most high-profile companies mentioned in the leak.

Raid Forums member ROLLEX313 has leaked a database from Russian gaming website ONGAB. The leaked data comprises approximately 250,000 usernames, email addresses, social media profiles (VK/Facebook), biodata, registration dates and passwords.

Fraud

The FBI's Internet Crime Complaint Center (IC3) has issued a public service announcement warning that cybercriminals are abusing cloud-based email services in Business Email Compromise (BEC) attacks. Scammers are using phishing kits that closely imitate the services' interface. A similar warning was issued on 3 March, warning of BEC attacks targeting Microsoft Office 365 and Google's G Suite. Funds stolen in BEC attacks are not often recovered. The attackers behind this type of fraud are generally experienced and have extensive money laundering networks to exfiltrate the funds. The IC3's annual report attributed USD1.77 billion in losses to BEC attacks in 2019.

Vulnerabilities

Samsung has issued a security advisory to apply the latest updates for its flagship models. The updates include patches from Google and Samsung. Some patches from chipset vendors (also known as Device Specific patches) may not be included in the security update package. They will be included later when the patches are ready to be disseminated.

357,629 (82.5 per cent) of all Microsoft Exchange servers currently exposed online still have not been patched against the CVE-2020-0688 vulnerability. This bug was patched almost two months ago, and unpatched servers have since been targeted in the wild. There are over 31,000 Exchange 2010 servers which have not been updated in the past eight years, and 800 Exchange 2010 servers which have never been updated.

Multiple vulnerabilities have been found in iOS and macOS devices. These could allow an attacker to take control of the device's microphone and camera. The flaws are found in Safari: when used in succession. All the bugs are trivial in isolation but when combined, they could facilitate remote surveillance. This could allow an attacker to take photos, and record audio and video. The attack would work on iPhones, iPads, and Macs.

Multiple critical vulnerabilities have been found in HP Support Assistant which expose Windows PCs to remote code execution attacks. They can also lead to privilege escalation or the deletion of arbitrary files. HP computers sold after October 2012, running Windows 7, 8, and 10 operating systems all come with the Support Assistant and are therefore vulnerable.

Google and Mozilla have both addressed high-severity vulnerabilities in their browsers which could lead to remote code execution. Browsers should be updated as soon as possible to avoid potential compromise.

 

APT Activity and Malware Campaigns

APT activity

A new MuddyWater log file found in a breached C&C server exposed a unique Iranian IP address, likely to belong to the threat group. Further analysis of the log file found that the main targets of this campaign include Pakistan and Turkey. The US, Canada, Spain, Germany, and the UK, amongst others, are all possible targets. MuddyWater has primarily focused on countries in the Middle East and their near neighbours. Government and government-affiliated organisations have been targeted in the past, with cyber-espionage generally thought to be the main aim.

BlackBerry Cylance produced a report on five related APT groups, backed by the Chinese government, that have systematically targeted Linux servers, Windows systems, and mobile devices, while remaining undetected for nearly a decade. The report provides further insight into pervasive economic espionage operations targeting intellectual property. Many of these Chinese APTs appear to be secret groups or contractors that are not documented parts of the Chinese military. Despite this, however, they are all well-structured, robustly financed and highly organised.

Tencent uncovered several new mobile apps, created by DoNotTeam, being deployed in a cyber-espionage campaign against Pakistan. These apps are disguised as system tools, markets, games, and news. The apps remotely control the infected device and steal confidential information. DoNotTeam (also known as APT-C-35 or Bellyworm) has been launching various campaigns around South Asia since 2016. It is believed to be a state-sponsored group and has developed malware for Windows operating systems and mobile Android devices. 

Malware

The operators of the Sodinokibi, Doppelpaymer, and Maze ransomware continue to target businesses in all sectors around the world. Organisations should ensure that employees are aware not to click links within emails or open attachments sent with emails from unknown senders.

A series of ransomware attacks have been reported on Chinese forums in which users claim to have been hit by the WannaRen ransomware. Platforms such as Zhihu, Baidu Tieba, and others saw users seeking help after their files had been encrypted. WannaRen’s behaviour is reported to be similar to WannaCry, the malware that caused havoc worldwide in 2017: it encrypts the same files and folders on Windows systems and spreads via EternalBlue. WannaRen is only effective against organisations that have failed to update older Windows systems. This is particularly the case for those still running SMBv1.

Researchers from CarbonBlack recently found that Qbot now acts more like a worm, spreading across network-shared spaces or via Server Message Blocks (SMB). The malware also contains multiple anti-analysis capabilities such as detecting if it is being analysed in a virtual machine. This new link to Dridex and Trickbot further demonstrates the regard with which the threat actors behind Qbot are held in the cybercriminal community, particularly if other groups such as UNC1878, EvilCorp or TA505 are working with them.

Financially motivated cybercriminal group FIN6 has been deploying the Anchor and PowerTrick variants of the infamous Trickbot malware. This suggests that FIN6 (also known as ITG08) is in some way working with, but not strictly connected to, the authors of Trickbot. FIN6 is known for targeting the retail and hospitality sectors, so it is likely that this campaign is targeting those sectors. Trickbot is often sold as a malware-as-a-service, so the FIN6 group may have purchased anchor for use in its campaigns. This is not the first time Trickbot has been paired with other malware, as it is often delivered alongside the Emotet malware and Ryuk ransomware.

Kaspersky Labs has reported on an ongoing, large-scale xHelper Trojan campaign targeting Android smartphones around the world. XHelper installs a backdoor with the ability to execute commands as a superuser. It gives full access to all app data and can be used by other malware. The Trojan disguises itself as various cleaner and speed-up apps for Android devices.

Bitdefender has uncovered a new Internet of Things (IoT) botnet, dubbed DarkNexus, that is demonstrating advanced tactics, techniques, and procedures (TTPs) in comparison to other botnets. DarkNexus has only existed for three months. The botnet is also linked to the infamous Qbot banking malware (also known as Qakbot). As with all IoT botnets, DarkNexus is a concern due to the vast number of unsecured IoT devices around the world. Each time a new exploit is revealed for a vulnerability in these devices, botnet authors can incorporate it into their automated attacks. DDoS botnets, such as DDG botnet and the new Mirari variant called Makushi, are a particular threat. They are often offered as a DDoS-for-hire services and can be combined with other attacks for effective exploitation. 

Darknet

COVID-19 continues to disrupt the darknet, with the drug trade faring poorly, particularly those vendors whose business relies on importing raw materials or exporting to customers internationally. The US Postal service recently announced that it was suspending international postal services to several countries, including Italy, South Africa and India. Many vendors are now choosing to not ship internationally, which may present a new opportunity for small-scale domestic vendors.

The fraud side of the darknet, however, has experienced less disruption due to the more virtual nature of the products being sold. Most fraud activity continues uninterrupted, for now. However, this may soon change if stricter lockdowns limit the ability of criminals and their networks of money mules to physical ‘cash-out’ on fraudulent transactions.

There has been a notable increase in the number of vendors claiming to sell medication for treating COVID-19. Specifically, we have seen an increase in vendors claiming to sell Hydroxychloroquine: this is likely to be in response to President Trump’s promotion of the drug as a potential cure. In response to the sheer volume of COVID-19 related scams on the darknet, one of the more popular markets, Monopoly, has now completely banned vendors mentioning COVID-19 as part of their marketing strategy. Other markets may follow suit.

Finally, the MaaS group, ZombieOutbreakResponseTeam, has received increased coverage this week. This group sells access to networks that were compromised using RDP, with the option of then deploying ransomware. It has been active on darknet forums for several months but has recently updated its malware. Given the recent rise of working from home, the number of victims compromised using RDP has increased significantly. 

 

COVID-19 Geopolitical Threats and Impacts

Americas

The US federal government has reached an agreement with Minnesota-based company 3M, a major producer of N-95 facemasks (or respirators), regarding the export destination of the company’s face masks. 3M will produce 166.5m facemasks for the US in the next three months, while also fulfilling orders in Canada and Latin America. The agreement came three days after President Trump invoked the Korean War-era Defense Production Act (DPA) to halt the export of critical medical supplies during the pandemic. This deal indicates that the White House is likely to use the DPA as leverage in negotiations on the production and export of medical supplies. Companies supplying crucial medical equipment to the US during the pandemic should monitor federal government announcements and cooperate closely with government stakeholders.

On 8 April, Vermont Senator Bernie Sanders suspended his campaign to become the Democratic Party’s nominee in November’s presidential election. This clears the path for former vice-president Joe Biden to become the Democrats’ nominee. The legacy of Sanders' campaign, however, defined by his advocacy for universal healthcare and free university tuition, will likely influence the party’s platform which centrist Biden takes into November’s election. Companies with interests in the US economy should monitor updates on both major parties’ 2020 policy platforms, and scenario plan for the victory of either major party candidate.

China’s ambassador to Brazil, Yang Wanming, requested an official explanation from the Brazilian government on 6 April over a mocking tweet from education minister Abraham Weintraub, insinuating a link between the coronavirus (COVID-19) pandemic and China’s alleged ‘plan for world domination’. In a statement also released on 6 April, China’s embassy in Brazil described the comments as ‘highly racist’ and ‘absurd’. This will further damage diplomatic ties between Brasília and Beijing which were shaken by comments from President Jair Bolsonaro’s son Eduardo, who has used the phrase ‘Chinese virus’ and criticised the Chinese government’s handling of its outbreak. Paradoxically, this comes as Brazil seeks to increase its imports of Chinese medical equipment during the pandemic. Businesses with interests in Sino-Brazilian trade should monitor updates, particularly from China’s embassy to Brazil, for developments potentially affecting trade.

Brazil is also struggling on another front, with the falling demand for tropical fruit among consumers in the EU during the coronavirus pandemic leading to a decrease in orders, according to a representative of the Brazilian exporters’ association Abrafrutas, quoted by the Reuters news agency. Impacted exports include mangoes and papayas. The EU, many of whose countries have recorded thousands of cases of COVID-19, accounts for approximately 60 per cent of Brazil’s fruit exports. Amid the pandemic, consumers are reportedly opting for longer-lasting fruits, such as apples and bananas, amid government calls to minimise non-essential journeys outside the home. Companies exporting fresh tropical fruit, both in Brazil and elsewhere, should anticipate reduced demand in core markets in the short-to-medium term and identify alternative markets, including in domestic and neighbouring markets. 

APAC

The Asian Development Bank (ADB) has warned that the impact of the coronavirus on tourist-dependent Pacific economies will be unprecedented and potentially long-lasting. The ADB’s 2020 Development Outlook predicts that the interruption in travel and trade will badly affect such countries as Cook Islands, Fiji, Palau, Samoa, and Vanuatu. The report further notes that growth can only return once travel restrictions are lifted and there is a clearer picture of the full economic impact of COVID-19 on airlines, tourist venues and, most importantly, the disposable income in the markets that provide most of the visitors to the Pacific island nations. Some international and regional carriers, for example, are unlikely to survive a protracted loss of income, leading to muted competition and higher air fares.

The fears for airlines are mirrored further north in India where Civil Aviation Minister, Hardeep Singh Puri, moved to quash rumours that the country’s commercial aviation sector will resume operations after the 21-day national lockdown ends on 14 April. He tweeted that this was “mere speculation” and that the situation will be reassessed on a case-by-case basis. Even before India was struck by the coronavirus (COVID-19) pandemic, India’s commercial aviation sector had been severely impacted by the country’s economic downturn that has led to negative year-on-year growth. While indicators point towards a downward deviation for the industry, some airlines may be able to offset losses by supporting the government with COVID-19-related logistics operations. The nation’s largest carrier, Air India, announced that it will take reservations from 1 May, which should serve as a good indicator as to when the industry intends to begin passenger services.

EUROPE

The Swiss government has expanded its existing powers to force companies to increase production of critical medical goods used for treatment and protection during the COVID-19 outbreak. Manufacturers could be forced to focus production of some supplies over others or to increase production. Switzerland has one of the highest per capita rates of infection in the world. For Swiss-based businesses producing pharmaceutical products and any relevant healthcare equipment, this will mean shifting production at short notice. Companies affected by the decree should anticipate likely communications from the government and implement plans to reorient resources towards producing COVID-19-related goods.

Two senior government figures in the German government have agreed to establish ‘strict rules’ allowing more flexibility to the agriculture sector around the hiring of foreign seasonal workers. Producers are planning to recruit 40,000 workers in April and another 40,000 in May – despite border closures in the face of coronavirus. Temporary workers will have to undergo medical checks upon arrival, spend 14 days separated from other workers, and will be housed under quarantine near workplaces. Companies with interests in the agriculture sector should factor the measures into hiring practices and ensure foreign workers comply with the health requirements.

Also in Germany, on 8 April, the government agreed to tighten rules protecting domestic firms from takeovers by non-EU investors amid the dire economic outlook due to the ongoing coronavirus (COVID-19) pandemic. Transactions in sensitive sectors such as defence which have implications for national security would be put on hold until a financial decision is announced. Moreover, a potential deal could undergo a review if there are concerns that there is a ‘likely harm’ to domestic and EU security. The rules will require parliamentary approval before being officially adopted.

The implications of such a move are three-fold. Firstly, it signifies that an EU-wide trend, in which more political intrusion into the private sector will be justified on national security grounds, will be accelerated and other member states will likely follow suit. More practically, firms in some industries deemed sensitive will face additional hurdles when seeking to raise capital investment, potentially jeopardising expansion plans. On a broader level, new regulations on foreign ownership will send an adverse signal to international investors, raising questions about Germany’s openness to trade.   

MENA and Central Asia

Divisions within Iraq’s Popular Mobilization Units (PMU) have been highlighted in the past three weeks, with four major Shiite factions loyal to influential Iraqi Ayatollah Ali al-Sistani announcing their withdrawal from the Iran-backed organisation on 18 March. The withdrawal of the al-Sistani militias coincided with the naming of Adnan Al-Zurfi as prime minister-designate, a dual US-Iraqi citizen who has signalled he would check the dominance of Iran’s proxy groups. Al-Zurfi is expected to be approved as prime minister (PM) later this month, a clear demonstration of the pro-Iran militias’ increasing weakness – Iran-backed groups and politicians were previously able to enforce their choice of PM. There is a realistic probability that additional attacks will occur as pro-Iran groups increasingly feel the need to project power amid a retreat from political influence.

At least three rockets hit near the site of US oil service company Halliburton in the Burjesia area in the southern oil-rich Iraqi province of Basra on 6 April. No significant damage was reported, and there were no casualties. No group has claimed responsibility for the attack. This is the first attack targeting oil infrastructure since last summer (2019), when a rocket hit an Iraqi compound housing several international oil majors, including ExxonMobil, Shell and ENI, and injured three local workers. In the aftermath of Monday’s attack, there is likely to be an enhanced security force deployment in the Burjesia area of Basra. In the coming days and weeks, there is an elevated risk of additional low-level rocket attacks taking place against US and other Western energy companies as well as against US military and diplomatic interests.

Despite international calls for a ceasefire, the UN-recognised Government of National Accord (GNA) in Libya recently announced that its forces had killed 20 militiamen loyal to Field Marshal Khalifa Haftar, who commands the Libyan National Army (LNA), in airstrikes in the central coastal town of Sirte. Additional airstrikes reportedly destroyed a munitions convoy bringing arms to LNA forces and killed a munitions truck driver.

Libya is particularly vulnerable to the coronavirus pandemic; fighting to control territory has destroyed much of the country’s infrastructure, while its weak healthcare system has limited its ability to detect and treat the disease. There is a realistic possibility that Haftar uses this pandemic as an opportunity; he may move to increase the military efforts of the LNA. Additional airstrikes are probable in the coming days.

In Turkmenistan, on 3 August, around three dozen women staged a protest denouncing the shortages of government-subsidised flour and vegetable oil in the south-eastern province of Mary. The protesters blocked the highway linking Mary city with the capital, Ashgabat, before marching toward the nearby headquarters of the provincial administration. Local authorities reportedly assuaged the demonstrators by handing out sacks of flour. 

Sub-Saharan Africa

The general managing director of the state-owned Nigeria National Petroleum Corporation (NNPC), Mele Kyari, recently said in an interview with local media that the government would suspend fuel subsidies and that oil refineries would be shut for maintenance and to secure financing for their planned upgrades. While Kyari’s announcement makes sense from a fiscal perspective, with the government getting over 90 per cent of its revenue from crude oil exports, previous attempts at removing the fuel subsidy in Nigeria have failed due to intense public backlash, including violent protests. While mobilisation against the move has likely been muted due to ongoing COVID-19-related travel restrictions in the capital Abuja and the commercial hub Lagos, civil unrest is likely to increase in the one-month outlook.

The Central Bank of Kenya (CBK) has suspended the foreign exchange trading licence of Absa Kenya (formerly known as Barclays Bank Kenya), ordering it to halt such operations from 9 to 15 April. The decision is motivated by what the CBK deems is lax enforcement of anti-money-laundering and counter-terrorist-financing (AML/CTF) rules. During the suspension, which came into effect on 9 April, Absa Kenya is prohibited from conducting inter-bank foreign exchange market transactions. This will hamper the ability of businesses and private persons to transfer money to overseas accounts. Managers of banks and financial service providers should assess the compliance risks associated with government lockdowns, and develop processes for ensuring compliance with AML/CTF standards over the coming three months, at least.


Powered by Cyjax Ltd and A2 Global Risk Ltd. 2020